A couple of weeks back, I upgraded one of my Pis to Bullseye, so far my
only Pi on Bullseye. Since then at 1541 each day, I've noticed a large
spike in the incoming network activity. Sunday saw a spike of 779KBytes
out of daily total of 1610KB.
Curious as to what was going on, I installed Tshark, and set it up to
run for 3 minutes from 1539, sending the output to a file. Upon looking
at the file, I found that apart from the usual network chatter (e.g. the router asking who had a particular address), I found the following :
A bit of whois'ing suggests that :
217.169.20.20 is my ISP
46.235.231.145 is Mythic Beasts, with an address in Cambridge (UK) 146.75.74.132 is Fastly with a location of San Francisco
So what is going on ? It looks as though it is looking for updates, is
it harmless ?
Adrian <bulleid@ku.gro.lioff> wrote:
A couple of weeks back, I upgraded one of my Pis to Bullseye, so far my
only Pi on Bullseye. Since then at 1541 each day, I've noticed a large
spike in the incoming network activity. Sunday saw a spike of 779KBytes
out of daily total of 1610KB.
Curious as to what was going on, I installed Tshark, and set it up to
run for 3 minutes from 1539, sending the output to a file. Upon looking
at the file, I found that apart from the usual network chatter (e.g. the
router asking who had a particular address), I found the following :
A bit of whois'ing suggests that :
217.169.20.20 is my ISP
46.235.231.145 is Mythic Beasts, with an address in Cambridge (UK)
146.75.74.132 is Fastly with a location of San Francisco
So what is going on ? It looks as though it is looking for updates, is
it harmless ?
Mythic Beasts host raspberrypi.com and some of the Raspbian infrastructure.
I'm not sure about Fastly, but that appears to be DNS traffic. I can't see >anything immediately obvious around raspbian.org, raspberrypi.com, >raspberrypi.org etc using Fastly for its DNS, but it's possible something
is, especially if you have other things in your /etc/apt/sources.list
(are there any third party repos in there, like Wolfram?)
I would guess the traffic is it checking for updates, so that wouldn't worry >me.
deb http://deb.debian.org/debian bullseye main contrib non-free
I would guess the traffic is it checking for updates, so that wouldn't worry me.
Theo wrote:
I would guess the traffic is it checking for updates, so that wouldn't worry >> me.
it's not so much a spike as a grain of dust under the carpet ...
In the grand scheme of things, you're right. However, for that
particular Pi, it stood out like a sore thumb (~50% of the days incoming >network traffic in under a minute), hence why it attracted my attention.
From past experience (with pre-Bullseye Pis), it was unexpected, and I
get suspicious if things aren't working as expected. In this case, it >appears that it is doing what it should be doing, so that is OK.
On Tue, 21 Mar 2023 12:55:49 +0000, Adrian <bulleid@ku.gro.lioff> declaimed >the following:
In the grand scheme of things, you're right. However, for that
particular Pi, it stood out like a sore thumb (~50% of the days incoming >>network traffic in under a minute), hence why it attracted my attention.
From past experience (with pre-Bullseye Pis), it was unexpected, and I
get suspicious if things aren't working as expected. In this case, it >>appears that it is doing what it should be doing, so that is OK.
Have you looked at the various crontab files (both logged in user and
system tables) for something set to trigger around that time?
There isn't anything that I've set up (/var/spool/cron/crontab/*) and
there doesn't appear to be anything for that time in /etc/crontab
On 2023-03-22, Adrian <bulleid@ku.gro.lioff> wrote:
There isn't anything that I've set up (/var/spool/cron/crontab/*) and
there doesn't appear to be anything for that time in /etc/crontab
Do you have unattended-upgrades
or apt-config-auto-update installed?
In message <ftmk1i1hdgukvvg0te72r7f670f31hivcu@4ax.com>, Dennis Lee
Bieber <wlfraed@ix.netcom.com> writes
On Tue, 21 Mar 2023 12:55:49 +0000, Adrian <bulleid@ku.gro.lioff> declaimed >>the following:
In the grand scheme of things, you're right. However, for that >>>particular Pi, it stood out like a sore thumb (~50% of the days incoming >>>network traffic in under a minute), hence why it attracted my attention.
From past experience (with pre-Bullseye Pis), it was unexpected, and I >>>get suspicious if things aren't working as expected. In this case, it >>>appears that it is doing what it should be doing, so that is OK.
Have you looked at the various crontab files (both logged in user and >>system tables) for something set to trigger around that time?
Thanks.
I hadn't, but I have now.
There isn't anything that I've set up (/var/spool/cron/crontab/*) and
there doesn't appear to be anything for that time in /etc/crontab
In article (Dans l'article) <slrnu1mmdi.2ci.jj@iridium.wf32df>, Jim
Jackson <jj@franjam.org.uk> wrote (écrivait) :
Check the jobs in directories /etc/cron.{hourly,daily,weekly,monthly}
What about "crontab -l"?
Check the jobs in directories /etc/cron.{hourly,daily,weekly,monthly}
Check the jobs in directories /etc/cron.{hourly,daily,weekly,monthly}
both cron and anacron syslog messages indicating when they run jobs in
those directories.
In message <slrnu1mmdi.2ci.jj@iridium.wf32df>, Jim Jackson
<jj@franjam.org.uk> writes
Check the jobs in directories /etc/cron.{hourly,daily,weekly,monthly}
Thanks
Ah.
$ ls -lrt /etc/cron.daily
...
-rwxr-xr-x 1 root root 1478 Jun 10 2021 apt-compat
Which appears to run /usr/lib/apt/apt.systemd.daily
both cron and anacron syslog messages indicating when they run jobs in >>those directories.
In /var/log/syslog, I get :
Mar 22 15:40:21 pi5 PackageKit: refresh-cache transaction /30_cbeebbce
from uid 1000 finished with success after 3718ms
Mar 22 15:40:32 pi5 PackageKitL get-updates transaction /31_dacabccd
from uid 1000 finished with success after 10649ms
I think that explains it.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 307 |
Nodes: | 16 (2 / 14) |
Uptime: | 111:11:35 |
Calls: | 6,853 |
Calls today: | 4 |
Files: | 12,355 |
Messages: | 5,416,415 |